Engadget RSS Feedhttp://www.engadget.com
Engadgethttp://www.blogsmithmedia.com/www.engadget.com/media/feedlogo.gifEngadgethttp://www.engadget.com
en-usCopyright 2015 AOL Inc. The contents of this feed are available for non-commercial use only.Blogsmith http://www.blogsmith.com/http://www.engadget.com/2015/01/13/apple-two-factor-limits/?utm_medium=feed&utm_source=Feed_Classic&utm_campaign=Engadget&ncid=rss_semi
http://www.engadget.com/2015/01/13/apple-two-factor-limits/http://www.engadget.com/2015/01/13/apple-two-factor-limits/?utm_source=Feed_Classic&utm_medium=feed&utm_campaign=Engadget#comments

Apple took a big step forward when it expanded the scope of its two-step authentication last year, since it's now relatively hard to peek at someone's sensitive content unless you also have their device. However, this extra security measure still isn't the all-encompassing safety net you might expect it to be. Need proof? Just ask Dani Grant: she recently gave a friendly reminder that two-factor doesn't even enter the picture with a number of Apple's services. You only need an Apple ID's email address and password to get into FaceTime, iMessage, iTunes and the company's website. You'll need verification if you change account details, sign in to iCloud or try to buy an app, but that basic login is enough to see people's contact information, view their app download history or impersonate them on iMessage. You don't always get email alerts (they typically appear when signing into FaceTime, iCloud or iMessage for the first time on a new device), so it's possible for someone to misuse your account without your knowledge.

Forget having to lift smudges from a touchscreen to copy someone's fingerprints. According to a Chaos Computer Club presentation, you only need a camera... well, that and a little luck. The hacking association's Jan Krissler recently demonstrated that you can reproduce someone's fingerprint by getting a few good photos of their hand and processing it through off-the-shelf authentication software like VeriFinger. In Kessler's case, he got the German Defense Minister's thumbprint through photos from a press conference.

Hate typing passwords? You might not have to enter them for much longer. The FIDO Alliance (backed by Google, Microsoft, PayPal and Samsung, among others) has just published the completed versions of its password-free standards for both regular and two-factor authentication. Apps and websites using the technology can now rely on a number of easier and typically more secure ways to sign you in, such as fingerprint readers and USB dongles, without having to worry about the exact device you're using. There are already some hardware and software solutions that play nicely with FIDO, but the existence of firm specs should significantly boost your choices in 2015.

It shouldn't surprise you that Google's a big proponent of online security, and that's why it's rolling out support for a new way to prove you are you who are: a USB Security Key. Google's normal approach to two-step authorization involves getting a text on your phone to verify your identity, but that isn't always ideal. Maybe you suck at keeping your phone charged. Or maybe you're abroad (your author's had to deal with that particular headache a few times) and don't want to get slammed with roaming charges. Having a dedicated secure USB key around means you'll be able to log into Google's ecosystem without having to worry about phishing or having your phone handy.

The Portable SIM, as Japan's Docomo is calling it, will combine your tiny mobile card with Bluetooth and NFC to make a standalone authentication device, allowing users to 'wave' the portable over tablets and smartphones to connect and login to phone networks, transferring information, like phone numbers and login details and opening up the possibility of multiple devices with a single SIM card. (Android and iOS, all at once!) It will even store multiple online logins for shopping sites and social networks, according to the Japan's largest phone carrier. The current prototype is around the size of a WiFi hotspot, although Docomo plans to shrink the tech down to a size that would fit into a wearable device, likely to be around the size of current wearables like Acer's Leap band we've used in the mock-up above.

]]>
authenticationdocomojapanmobilepostcrossportablesimsimTue, 10 Jun 2014 03:01:00 -040021|20909625http://wow.joystiq.com/2014/04/29/login-issues-plague-all-battle-net-games/?utm_medium=feed&utm_source=Feed_Classic&utm_campaign=WoW&ncid=rss_semi
http://wow.joystiq.com/2014/04/29/login-issues-plague-all-battle-net-games/http://wow.joystiq.com/2014/04/29/login-issues-plague-all-battle-net-games/?utm_source=Feed_Classic&utm_medium=feed&utm_campaign=WoW#comments
It's Tuesday, which means maintenance -- or in this case, post-maintenance -- server problems. At present, @BlizzardCS says login issues for North American realms are under investigation -- though they may already be starting to clear up. If you manage to get into the Battle.net launcher, it will helpfully inform you: "Login to the Battle.net desktop app is currently unavailable. However, you can continue to use Battle.net in offline mode to launch and play games that are available offline."

I guess that means tonight's Diablo3 rift runs are going to be replaced by Diablo2 leveling.

Even as HBO Go has launched on new platforms over the years, people who pay for TV service and HBO have occasionally found that their provider won't play along. That's been the case for DirecTV subscribers with a Roku ever since the app rolled out in 2011, but now things have changed. Customers started seeing the change Thursday and now the DirecTV Twitter account confirms subscribers can use their account logins on Roku. The Syfy Now app on iOS also has a fresh update that says it supports DirecTV accounts, while some users say they've been able to login to apps for History, A&E, and Lifetime, although that doesn't appear to be officially available yet. Comcast Xfinity customers are the most notable remaining group still denied activations on Roku and Samsung Smart TVs, although the service does support Apple TV and Xbox 360. Will that ever change? After this move and the recent arrival of YouTube on the platform, here's hoping Comcast, Roku and Time Warner can get together to keep the streak going.

The FIDO Alliance is on a roll: It already has support from heavyweights like Google and Lenovo in its quest to eliminate password-based sign-ins, and it's now bringing Microsoft into the fold. The software pioneer is taking a seat at the Alliance's board of directors, where it will help shape open authentication standards. Microsoft isn't revealing what it would like to do with FIDO at this early stage, but it's easy to see the company improving both its verification methods and Windows' support for biometric readers. There are still gaps in the Alliance's membership -- Apple and Samsung aren't involved, for instance. Still, Redmond's involvement makes it clearer than ever that the group will have a lot of say over our future digital security.

If you hadn't heard, fingerprint readers are in voguethese days. Synaptics clearly knows it: the company just acquired Validity, a firm that specializes in finger-based authentication. The $92.5 million deal gives Synaptics both access to the biometric market as well as a complement to its existing touchinputdevices. While the company isn't detailing its plans, it's easy to see the potential impact. When Synaptics makes the majority of laptop trackpads, there's a real chance that fingerprint sign-ins on PCs could become commonplace.

The FIDO Alliance hinted that mobile fingerprint readers would play a part in its passcode-free strategy, and it turns out that we'll see those readers quite soon. Group president Michael Barrett tellsUSA Today that Android smartphones with FIDO-based fingerprint readers should be available in about six months, or early 2014. While the Alliance isn't saying which companies are launching those devices, we'd expect FIDO members like Lenovo and LG to embrace the technology first. As for other platforms? Barrett believes that Apple's Touch ID could work with FIDO, but we wouldn't count on it when Apple is still hesitant to embrace third-party developers.

Unlike faces and fingerprints, a heart's electrical activity is difficult to fake -- it's a unique and potentially ideal security tool. Bionym is taking advantage of this trustworthiness in its upcoming Nymi bracelet. The wristwear authenticates users through a combination of electrocardiograms and Bluetooth proximity detection; if Nymi recognizes your heart rhythm, it automatically logs you into nearby devices. The bracelet also recognizes gesture commands, and a future developer kit should extend the gadget's usefulness beyond basic security for PCs and smartphones. It could unlock doors or make retail payments, for example. Nymi won't ship until early 2014, but it's already available for pre-order at a $79 early bird price.

]]>
authenticationbiometricbionymecgElectrocardiogramheartnymisecurityvideowearablewristbandTue, 03 Sep 2013 16:31:00 -040021|20709997http://massively.joystiq.com/2013/08/29/ccp-adds-email-verification-to-eve-online-accounts/?utm_medium=feed&utm_source=Feed_Classic&utm_campaign=Massively&ncid=rss_semi
http://massively.joystiq.com/2013/08/29/ccp-adds-email-verification-to-eve-online-accounts/http://massively.joystiq.com/2013/08/29/ccp-adds-email-verification-to-eve-online-accounts/?utm_source=Feed_Classic&utm_medium=feed&utm_campaign=Massively#comments
Immigrants to EVE Online's New Eden will have an extra layer of security as of today, with CCP rolling out mandatory email verification to all new accounts. Email verification is the first of several upcoming security improvements for EVE, one that brings the 10-year-old game closer in step with more recent releases.

The process will be familiar to MMO veterans: When creating an EVE account, all new players must validate the registered email address by following instructions provided in an email from CCP. Existing EVE players have the option of verifying their email addresses as well; a new "Verify Email Address" option has been added to the game's account management page.

CCP encourages all users to log into EVE's account management system to ensure their information is correct and to take advantage of the new verification system.

PayPal employees at the company's UK headquarters are tired of having to use traditional payment methods when buying their rocket and crayfish sarnies. It's almost an affront, in fact, so they're pushing local retailers in Richmond Upon Thames to trial an updated, entirely PayPal-based system that uses photo authentication to make things faster. If you want to try it, go to the "Local" section of your PayPal app (on iOS, Android or WP), which should show nearby participating shops, and simply select the one you're visiting -- this will then cause your name and profile picture to come up on the seller's app so they can verify you're the account holder and process the transaction. Having given it a quick armchair run-through, the system looks similar to what PayPal already offers in some Australian stores, and it's apparently PIN-free at the point of purchase -- although you'll obviously have had to authenticate your app when you installed it, as well as have uploaded a reasonably realistic (and preferably static) profile picture.

Nickelodeon released an iPad app with full episode streaming back in February, but now an update has opened things up to the iPhone and iPod touch as well. Version 1.1 also promises more music videos and less crashing, among other tweaks. However, if you have an agreeable cable or satellite provider, then the ability to watch video on-demand is the headliner. There are a few episodes available without logging in, but subscribers to DirecTV, Time Warner Cable, U-verse, FiOS, Bright House Networks, Cablevision, Hawaiian Telecom, Suddenlink and RCN will get the most mileage. Of course, if the kids (or, adult Big Time Rush fans, whatever works) prefer to watch their TV on TV, they may prefer the Xbox 360 app -- like Windows 8 and other platforms, the current app brings mostly clips and other tidbits -- that's on the way. Variety indicates it will hit the console June 25th, but, despite its post-E3 launch, its Xbox One launch plans are "not determined." There's a quick video preview embedded after the break, or you can hit the source link below and grab the free app for yourself.

Twitter just boosted its security with a new two-factor login method. The new option, which was announced in the form of a YouTube video, oddly enough, allows users to require a verification code each time they log in. Once this is enabled, Twitter will send a code to your phone each time you log in from the website or third-party apps. You'll need to type in that temporary code to access your account. It's a process many of us are already familiar with -- online banking, corporate intranet sites and services like Evernote offer similar two-factor authentication options to their users. It's not clear when the new feature will roll out (it hasn't hit our account just yet), but once it's available, setup appears to be straightforward. You can see how it works in the video just past the break.

A lot has changed in the security realm since 2008 -- remember Alicia Keys' recent attempt to convince us her Twitter account was hacked, when we all know she still uses an iPhone even as BlackBerry's Creative Director? Pranks aside, the consumer world alone has been overrun with mass data hackings -- everyone from Evernote to Microsoft to Sony to RSA has felt the wrath. To combat all of this, Google is revamping its five-year security plan, which calls for a complex authentication code replacing the conventional password in due time; in other words, Google is going to make it harder to access your accounts when initially setting up a device, but hopes you'll deal. Eric Sachs, group product manager for identity at Google, put it as such: "We will change sign-in to a once-per-device action and make it higher friction, not lower friction, for all users. We don't mind making it painful for users to sign into their device if they only have to do it once."

The documents also suggest that two-step verification may soon become less of an option, and more of a mandate. Sachs straight-up confesses that Google didn't predict the current level of smartphone adoption back in 2008, but now realizes that utilizing mobile hardware and apps as friction points for logging in makes a lot more sense. A huge swath of Google users are already carrying around a product that could be used as a verification token, so the obvious solution is to make use of that. We're also told that learnings from Android will be carried over to Chrome, and further into the world of web apps. No specific ETAs are given, but trust us -- half a decade goes by quickly when you're having fun.

Google's already investing in two-factor authentication, but it's making a bigger commitment to the security method by joining the FIDO (Fast IDentity Online) Alliance's board of directors. Founded in-part by heavyweights Lenovo and PayPal, the group envisions a future where an open standard developed by it will lead to interoperable two-step security that can log users into sites and cloud apps across the web -- not to mention replace passwords as we know them. While support for USB keys is certainly in the works, the group expects to throw its weight behind the likes of NFC, voice and facial recognition, fingerprint scanners and more. There's no telling how soon FIDO's efforts will bear fruit, but the search titan's support ought to help move things along.

This here narrative begins back in April, when ARM, Giesecke & Devrient and Gemalto teamed up and gave themselves precisely nine months in which to find the perfect brand name for their newly merged mobile security platform. Today, we're looking at the fruits of their efforts: Trustonic; a word which snappily captures the essence of what's at stake (trust-onic) and which you may soon encounter in connection with your next-gen smartphone, Mastercard payment app or 20th Century Fox DRM'd media.

What does Trustonic do, exactly? Pretty much what Mobicore already does in the Galaxy S III, or what Trusted Foundation does inside a Tegra-powered tablet: it allows certain pieces of software to tap into hardware-level encryption and authentication, courtesy of the TrustZone silicon that many ARM chips already contain, thereby removing many of the risks associated with malware and other intrusions within the mobile OS. As far as we understand it, the key difference with Trustonic is that it won't require direct input from OEMs like Samsung and NVIDIA, but will instead be more readily accessible to any banking, payment or DRM service that is willing to pay for a key. In return, the service would get enhanced security and faster logins for its users, who'd only need to enter a short, locally-verified PIN rather than wading through cloud-based steps to prove their identity. Indeed, perhaps that's where the tonic comes into it.

ArenaNet is using Google's authenticator, which is available on iOS, Android, and Windows Phone, and players will use this authenticator to verify devices rather than the previous email authentication system. The team is advising people that this is currently a beta feature, and already has two changes planned for the near future. Soon, unlinking the mobile authentication system will require additional codes, and users will have an option to remember current networks rather than having to authenticate every login.

With a hand-in-glove relationship with the world of business, it's key that Microsoft ensures it can keep companies data safe. That's what prompted Steve Ballmer to whip out his checkbook to snap up PhoneFactor, a multi-factor authentication company that uses smartphones instead of code-generating security tokens. With its new toy, Redmond plans to integrate the feature into its services like SharePoint, Azure and Office 365, letting users sign on with their own device as a key element of the signing in process.

Apple made much ado of the Lightning connector it launched side-by-side with the iPhone 5, but what we've known about it has been limited outside of the presence of an authentication chip. Double Helix Cables' Peter Bradstock has delved deeper and tells AppleInsider that there's some clever wiring that clinches the reversible design. While Lightning's power supply is truly symmetrical among the contact pins, the data isn't -- which suggests a chip inside is redirecting data to keep the plug working as intended. The technique helps explain why Apple would need any elaborate circuitry in the first place. No matter the wizardry inside, Bradstock doesn't see any cut-rate Lightning alternatives being useful in the near future: as it's unlikely that anyone outside of Cupertino knows how the authentication works at this stage, clone cables may amount to little more than heaps of metal and plastic.

O'Brien began by reiterating one of the golden rules of account security: Use a strong and unique password for any account that you don't wish to have compromised. He pointed out that simply having a strong password does you almost no good if you've got the same password with the same email used for an account elsewhere -- if one such account is compromised, they all are. The same rule of having a unique password applies to the email account you use for authenticating your GW2 login attempts: the email authentication system can only protect you if your email is secure. Fans of two-factor authentication will be pleased to hear that Guild Wars 2 will have a two-step authentication system soon. "We had our own homegrown implementation of smartphone two-factor authenticator in testing, but we're going to pull it back and instead integrate Guild Wars 2 with Google Authenticator, which already has robust authenticator implementations on most major smartphone platforms. We expect to roll this out in the next two weeks."

But that's not all! ArenaNet is also building a password blacklist (which is 20 million passwords long and growing) that blocks all passwords for which hackers are already scanning. According to O'Brien, "the rate of account hacking was about 1.5% for accounts created before this blacklist was in place, and is about 0.1% for accounts created after." This announcement comes with the request that existing customers change their password so that the blacklist protects them as well.

If you're concerned about account security, there's a new feature Blizzard want you to know about. They've been reminding us all about this feature via the forums, and have posted this informative, if somewhat bizarre video to tell us all about it.

The new feature, introduced a few months back, is Battle.net SMS Protect. It's a free service, as long as your mobile phone service provider doesn't charge you to receive text messages, in which case text messages would be charged at the usual rate. SMS Protect cannot use any type of messaging other than text messaging, and doesn't require a smartphone to work -- all your phone needs is the ability to receive SMS text messages, making this a nice feature for those players who don't have smartphones.

There have been mixed reports on whether it works with prepaid mobile phones, but where it hasn't been working that's usually because carriers don't allow the receipt of SMS text messages.

SMS Protect is not designed to replace the authenticator, either the phone authenticator or the physical authenticator. Rather, it is an alert system, designed to warn you about suspicious activity on your account, and allow you to perform certain actions with your phone. Hit the break for more information!

NBC's Olympics Live Extra may have lost its original raison d'être after the flame was extinguished in London, but that doesn't mean it's time to purge the app from your phone's home screen. An update for Android and iOS users alike is giving the title new life as NBC Sports Live Extra, and the name makes it quite obvious that you'll have a lot more to watch than just biathlons and fencing. NBC expects to offer live streaming for the European PGA, LPGA, MLS, NHL, Notre Dame, PGA, Ryder Cup and other events or leagues culled from the channel formerly known as Versus. Highlights, social sharing and other side features will carry over as well. You don't have to do a thing beyond check for a new version to make the switch to the already updated apps, but you will have to subscribe to conventional TV to use them properly: NBC is requiring TV Everywhere authentication for access to most of what's on offer from NBC Sports Network and the Golf Channel.

Cal and Stanford fans away from home no longer have to huddle around their laptops if they want to learn who's one-upping who. The Pac-12 Conference has just launched an iPad app for its authenticated Pac-12 Now service: as long as you're with a TV provider that carries the college sports division's games (sorry for now, DirecTV customers), you can tune into 850 live matches spread across a myriad of sports. As you'd hope, going the digital route allows for some on-demand viewing, a dedicated program guide and the social sharing you'll want to rope friends into watching. Only Bright House, Cox and Time Warner Cable subscribers can use the iPad viewer at first, although support should come to BendBroadband, Comcast, Frontier and Suddenlink this fall, right alongside Android- and iPhone-sized apps. Hopefully, they arrive in time for a little ego padding around the Big Game in October.